I have a project with the following setup:
Tomcat 6.x
Struts 2.1.6
DisplayTag 1.2
Spring 2.x (1 or 5, don't remember now)
I want to know to to do session controlling in every action of my app, like if the users weren't logged in, they're redirect to certain page to login (in the case of my project, either the user come to a special crafted url like login/SPECIALHASHTOLOGIN or won't enter at all.
Need more details?
Thx in advance.
I'm still new to S2 as well, but I believe what you will need to do is modify the default interceptor stack (or create a custom stack) and add a custom interceptor. This custom interceptor will need to implement SessionAware to access the user session, and must implement your custom logic (which action to redirect to, which URLs do not need protection, etc.).
Here is a good tutorial of a LoginInterceptor that behaves similar to what you are requesting.
Acegi security is a great way to add security to your web app if you're already using Spring. Here's a decent 1-hour Acegi tutorial.
Related
Currently learning Vaadin8+SpringBoot for Vaadin made me wanna forget about HTML for a while. Anyways, all is good for some CRUD operations until I mixed in SpringSecurity in the project. Well, I've been searching for days now and no solution could fit in well with the expected requirements.
Expected output:
Vaadin8+SpringBoot+SpringSecurity
All in one project/module/artifact
2 #SpringUI (MainUI = "", LoginUI = "/login")
Multiple #SpringViews contained by MainUI's ViewDisplay
Limitations:
No login.html (from the Vaadin's demo backery app)
No SpringMVC for login page
No vaadin4Spring dependency
Configurations done through annotations and not through XMLs
I know there's a way, I'm blocked how to progress on this. And if it's really not possible, need to understand as to why it isn't.
When you configure Spring Security, you need to allow anonymous access to the /login URL (either login.html if it is a non-vaadin form, or the login UI path if you want a separate UI for login). You also need to restrict access to the actual application UI. You also need to allow anonymous access to the static resources (i.e. /VAADIN/**).
The SecurityConfig in Bakery may give you a starting point. (Note: the starter or its parts cannot be redistributed as a code example or template)
There is a more detailed explanation here, though it only covers Vaadin and Spring Security integration (i.e. no spring-boot).
I am writing a java application using Spring. The application will be deployed to a Java EE container in a Linux environment, being accessed by Windows users.
Is there a way I can authenticate these users into the application without using any forms?
EDIT:
The first thing that I need to do is identify who the user is. After reading Block 87's article, I should start looking at SPNEGO and setting up each of the environments. From that point, I should be able to implement #ticktock's answer.
Yes, you just need to replace the UsernamePasswordFormFilter with your own authentication filter. Easiest if you extend AbstractAuthenticationProcessingFilter. You'll probably have to provide your own AuthenticationProvider as well.
I wanted to know whether it is possible to have custom handler execution just before spring authentication manager. I wanted to validate licenses for the user before he access system. Initially i wrote custom filter and executed it before calling to authentication manager, but in this case he wont be able to access some resources since he is not authenticated, but later i moved my code to sucessHandler of spring which worked fine, except it has some security issues like if open in multiple tabs it fails.
Any help is highly appreciated.
Thanks,
Brijesh
I think what you are looking for is to add a Spring AuthenticationProvider. In short, an AuthenticationManager has a list of AuthenticationProviders, each of which is queried in order. The question and answer to Multiple Authentication Providers in Spring Security has a good explanation of this. The Spring documentation also explains how the various components fit together.
I have completed setting up Spring Security using the roo shell as a guide and it has generated several views, amongst them is the login.jspx. I am trying to create a custom login form using Vaadin's Visual editor and Eclipse, how can i redirect the user to my login form and then use Spring Security to validate and authenticate the user as well as start a session management? I am really trying to avoid JSP since the rest of my application is using Vaadin as its Core Front-End
vaadin has some limitations on the login form.
Have a look at: https://vaadin.com/book/-/page/components.loginform.html so you will notice what I mean.
You can also have a look at the vaadin wiki (https://vaadin.com/wiki). There are several articles on your topic. You may find your solution there :)
kind regards
.zip
In it's simplest form, I want an interceptor that checks session data to see if a user is logged in, and if not redirects them to the login page. Obviously, I wouldn't want this interceptor to be used on say the welcome page or the login page itself.
I've seen a design that uses a listing of every url to one of two interceptors, one doing nothing and the other being the actual interceptor you want implemented, but this design seems very clunky and limits the ease of extensibility of the application. It makes sense to me that there should be an annotation-based way of using interceptors, but this doesn't seem to exist.
My friend has the idea of actually modifying the handler class so that during each request it checks the Controller it is mapping the request to for a new annotation we would create (ex #Interceptor("loginInterceptor") ).
A major point of my thinking is the extensibility, because I'd like to later implement similar interceptors for role-based authentication and/or administration authentication.
Does it sound like my friend's approach would work for this? Or what is a proper way of going about doing this?
Use Spring Security.
Please have a look at these sites, Spring Framework Annotation-based Controller Interceptor Configuration and
Ability to restrict HandlerInterceptors to specific controller paths
Hope it will be useful.
What about a Servlet Filter on all requests that sends the user to the login page if the user object isn't in the session? For the second part you can use security annotations on the controller methods that can check the user's role.